The Hidden Security Risks Behind WPS on Home Routers

digitado ⋅ 28 de April de 2026

If you’ve been following my previous articles on WPA networks, you’ll know the major problem remains weak user passwords. It’s evident that humans simply struggle to create strong, secure ones, and even when they do, typing a 15-character password every time is especially annoying on a smart TV, where typing with a remote is far from ideal.

Want to learn more about passwords, check out my other article:

https://hackernoon.com/youve-learned-to-break-wi-fi-now-learn-to-lock-it-down?embedable=true

The Wi-Fi Alliance had a solution for this as early as 2006.

The Wi-Fi Alliance reported that 60–70% of users did not configure their routers properly, leaving default credentials, failing to choose secure encryption, or even having no password at all.

For some, this stemmed from a lack of awareness; they didn’t know how, while others neglected it for convenience. This widespread issue prompted vendors to develop their own methods for simplifying Wi-Fi setup without placing too much technical burden on users.

However, these approaches led to compatibility problems. As a result, in 2006, the Wi-Fi Alliance introduced a standardised method for securely setting up and connecting to WPA/WPA2 Wi-Fi networks, known as WPS (Wi-Fi Protected Setup).

WPS made it possible to connect new devices without ever typing the long password. It was a highly convenient feature; however, as is often the case, convenience comes at the cost of security, and this was no exception.

In my previous articles, I mentioned completely disabling the WPS feature, and in this article, I will explain why.

Let’s start with the behind-the-scenes of WPS…

WPS provides a structured framework that enables easy, secure setup and management of wireless networks. You no longer have to enter the actual password to connect a new device.

But how?

To make it easier for non-technical users, WPS utilises the “Lock and Key” mental model.

Let’s use a simple example to illustrate this before we dive into the technical details. Imagine yourself as an Airbnb owner; you frequently rent your house, and I am a traveller staying at your place.

I introduce myself, and you successfully identify me after checking my documents. Once you verify my identity, you hand over the key, which I use to unlock the door and access your house.

WPS works the same way; it hands over the WPA credentials once you prove your authenticity.

The Skeleton (The Architecture)

Components

Three logical actors drive this entire process:

Enrollee: A device seeking to join the network (e.g., phone, printer, desktop).
Registrar: The device authorised to issue and revoke WLAN (Wireless Local Area Network) credentials.
AP: The Access Point (router), which provides connectivity and acts as a proxy.

Even though these three components remain logically separate, they often physically coexist. For example, an access point frequently incorporates the registrar, or the registrar may exist as a separate device. In the case of an external registrar, like a PC or phone, it can even coexist with the enrollee; your PC could act as both at the same time.

The most common and simplest setup features a standalone configuration where your AP includes an in-built registrar.

Interfaces

Depending on the data flow between these three components, the architecture utilises three interfaces:

1. Interface A

This interface connects the AP and the Enrollee. Its primary function involves enabling the discovery of Wi-Fi Protected Setup WLANs and facilitating communication between the Enrollee and Registrars via WLAN or Ethernet (using UPnP).

:::info

The WPS IE (Information Element) management frame provides the discovery information. According to the specification, this information serves merely as a hint and remains unauthenticated; therefore, users should not trust it.

:::

2. Interface E

This interface sits between the Enrollee and Registrar. It enables the Registrar to discover the enrollee and issue WLAN credentials. Here, the AP can physically act as a proxy to convey messages; this interface mainly uses WLAN communication or another out-of-band channel.

3. Interface M

Interface M links the AP and the Registrar. It allows an external registrar to manage a WPS AP, using the same registration protocol used for issuing credentials.

While this covers the architecture or the skeleton, the core functionality of WPS lies in the Registration Protocol.

Registration Protocol

The Registration Protocol functions as a three-party in-band protocol to assign a WLAN Credential to the Enrollee. It operates between the Enrollee and the Registrar using mutual authentication and may receive support through a proxy (AP).

WPS utilises two main operating modes: in-band and out-of-band. The Registration Protocol can run entirely in-band, entirely out-of-band, or through a combination of both (hybrid).

1. In-Band

In-band refers to communication within the same channel. In this context, communication between devices within the WLAN. This configuration performs a Diffie–Hellman key exchange, authenticating it with a shared secret called a device password.

Users obtain the device password from the Enrollee and enter it into the Registrar manually via keypad, USB flash drive, or NFC in a hybrid setup.

PBC (Push Button Configuration): This method offers the simplest but least secure configuration, triggered by pressing a physical or logical button on the enrollee or registrar. Upon activation, the enrollee actively searches for a registrar in PBC mode. Once it identifies a registrar, the protocol begins. Alternatively, pressing the button on the registrar triggers a 120-second scan for enrollees known as the “walk time” (the time it takes to walk up to your router). To avoid session overlap, both devices terminate the session if they detect more than one registrar or enrollee in PBC mode.
PIN (Personal Identification Number): This method requires manual entry of the Device Password or PIN. Devices generally fall into three categories:

Headless devices: These lack a display and use a static 8-digit PIN printed on the hardware (like most home routers).
Devices with displays: These generate a dynamic PIN for each session, varying between 4 and 8 digits.
Hybrid mode: This uses NFC or USB flash drives to deliver strong passwords instead of a standard PIN.

2. Out-Of-Band (OOB)

OOB refers to communication via a separate, dedicated channel, such as a physical Ethernet connection (UPnP). The goal involves sending WLAN credentials and configuration across this out-of-band channel to the enrollee. The out-of-band channel offers optional encryption for these settings.

Currently, WPS supports two out-of-band channels: USB flash drives and NFC.

USB Flash Drive: This process remains simple: plug the USB into the external registrar or AP; the registrar writes the credentials to the drive, which you then plug into the enrollee to establish the connection.
NFC (Near Field Communication): This contactless technology enables short-distance communication up to 10 cm. It provides a highly secure peer-to-peer option. When a user touches the NFC device to the AP, the devices exchange configurations and Diffie-Hellman public keys via the encrypted NFC channel. This encryption and short physical distance render man-in-the-middle attacks infeasible.

WPS provides three options for out-of-band configurations:

1. Unencrypted Settings: This option places the WLAN credentials unencrypted onto the out-of-band media. It relies on the assumption that the user maintains physical control over the media (like the NFC token or USB drive).

Advantages: You can reuse the media with new enrollees without running the registrar again, and it supports legacy APs that cannot forward public keys.
Disadvantage: This convenience compromises security; if an attacker steals the media, they obtain the credentials immediately.

2. Encrypted Settings: This option employs a key derived from the enrollee’s public key (obtained in-band) and the registrar’s key to encrypt settings for that specific enrollee. This ensures the media only works for one device. Even so, users should still physically guard the media.

3. NFC Peer-to-Peer Mode: This option boasts the strongest security properties. In this mode, the interface performs a 1536-bit Diffie-Hellman exchange and delivers WLAN settings encrypted with 128-bit AES. Because the devices receive this data over the NFC channel, they implicitly authenticate the keys and settings.

You don’t have to choose just one; in hybrid setups, the initial trust occurs via OOB methods (NFC/USB) while the registration protocol happens via in-band WLAN. This proves the flexibility of the WPS architecture, whether in standalone or hybrid configurations.

Now, let’s look into the core of the registration protocol:

The registration protocol follows a lock-step model where everything occurs sequentially. Each step requires success before the process proceeds to the next. This 8-step sequence enables the Enrollee and Registrar to authenticate each other and issue WLAN credentials.

In short, these 8 steps fall into two phases:

Discovery: This phase starts when a user manually enters a password (obtained via display or label) into the Registrar. While waiting for the password, the registrar sends an M2D message containing its description to the enrollee. This allows the enrollee to identify and choose the correct Registrar.
Mutual Authentication and Issuing Credentials: Protocol messages M3-M7 incrementally demonstrate that both sides know the device password. Once both sides prove this knowledge, they exchange encrypted configuration data. Message protection relies on a key derivation key (KDK), which the system computes from the Diffie-Hellman secret, nonces, and the Enrollee MAC address.

Now, let’s dissect the 8 steps further:

1. *M1 (Enrollee – Registrar):
The enrollee sends its description (including *MAC*, *UUID-E*, and *device capabilities**), its *1536-bit Diffie-Hellman public key (PKE)*, and a *128-bit random nonce (N1)*.

2. M2 (Registrar – Enrollee):
The registrar responds with its own description,public key (PKR)**, a *random nonce (N2)*, and an **Authenticator (the *HMAC-AuthKey)*.

:::info

M2D: If a Registrar does not yet know the Enrollee’s PIN, it sends M2D. This discovery-only variant omits the public key and authenticator to inform the Enrollee of its presence without performing expensive cryptographic operations.

:::

3. **M3 (Enrollee – Registrar):
The enrollee sends *E-Hash1* and E-Hash2 as pre-commitments. These prove knowledge of the first and second halves of the device password (PIN) without revealing the digits immediately.

E-Hash functions as an HMAC (Hash-based Message Authentication Code) that locks together three elements:

A secret random nonce (E-S1 or E-S2)
Half of the PIN (PSK1 or PSK2)
The public keys

At this stage, the Registrar can see the hashes but cannot verify them yet, as it lacks the secret nonces required to complete the check.

4. **M4 (Registrar – Enrollee):
The Registrar sends its own pre-commitments (R-Hash1 *and *R-Hash2) to prove knowledge of the PIN. It also includes its first secret nonce (R-S1**), allowing the Enrollee to verify that the Registrar knows the first half of the password.

5. **M5 (Enrollee – Registrar):
The Enrollee sends its first encrypted secret nonce (E-S1). The Registrar uses this *E-S1* and the first half of the user-entered PIN to re-calculate E-Hash1. If the result matches the hash from M3, the first half of the password is officially verified. If verification fails, the protocol terminates immediately to prevent brute-force attacks.

6. **M6 (Registrar – Enrollee):
The Registrar sends its second encrypted secret nonce (R-S2), allowing the Enrollee to verify the Registrar’s knowledge of the second half of the PIN.

7. **M7 (Enrollee – Registrar):
The Enrollee sends its second encrypted secret nonce (E-S2) as its final proof of identity. The Registrar performs a final match against *E-Hash2* from message M3 to confirm the Enrollee knows the second half of the password.

8. **M8 (Registrar – Enrollee):
This message marks the culmination of the protocol — the moment the “key” to the network finally changes hands. Having fully authenticated the Enrollee, the Registrar sends the WLAN Credentials (SSID *and *Pre-shared Key**).

:::info

The KDK (Key Derivation Key) encrypts each of these messages.

:::

The registration protocol utilises EAP (Extensible Authentication Protocol) to transmit these messages. EAP employs the Wi-Fi Simple Configuration (WSC) method to enable the registration protocol; WSC serves as the core technology of WPS.

Now that we have a basic overview of the behind-the-scenes, we can get a closer look at why we disable WPS.

The Vulnerability

This article focuses on the vulnerabilities associated with in-band PIN authentication, while also providing a brief overview of other weaknesses in both in-band and out-of-band methods.

The core security principle behind WPS states:

The security of a system remains only as strong as its weakest component.

In other words, the weakest link in your architecture determines your overall security — a point that becomes much clearer as we walk through the vulnerabilities.

While the WPS architecture offers flexibility, its weakest component remains the PBC method. PBC provides zero entropy by using a “null PIN” (all zeroes) and omits authentication entirely, despite being the most convenient option.

But how does an attacker exploit this?

Two main vulnerabilities exist here:

If you press the PBC on the registrar first, and an attacker activates PBC on their enrollee before you do, they gain access to your network.
An attacker can set up a rogue AP and jam the signal from your actual registrar using a deauthentication attack. Since your device lacks a way to authenticate the legitimate AP, it connects to the attacker’s rogue registrar instead.

While the NFC peer-to-peer connection serves as the strongest option, it still carries the risk of theft. Out-of-band methods rely on implicit authentication based on possession; if an attacker steals your USB or NFC token, they compromise the network.

This leaves us with the PIN method. Devices with displays that generate dynamic PINs aim to provide the intended security, whereas labelled or fixed PINs remain susceptible to active attacks like brute-forcing. Ironically, the lock-step design intended to resist brute force actually facilitates both online and offline cracking.

Online Cracking

In this scenario, the attacker engages with a registrar to obtain the Diffie–Hellman keys and then tests different combinations. Whenever a half fails, the device responds with a WSC_NACK message. This feedback notifies the attacker of every failed attempt. Another major factor stems from a design flaw in PIN splitting—ironically intended to prevent brute-force attacks, it actually simplifies them.

An 8-digit PIN (10⁸) offers 100 million possible combinations. At a speed of one second per attempt, completing all combinations would take approximately 1,157 days. Even finding the password halfway through would still require around 578 days.

Not practical, right?

But PIN splitting makes it highly practical. Rather than attacking all 8 digits at once, an attacker cracks each half independently — 10,000 combinations (10⁴) for the first 4 digits, and only 1,000 (10³) for the second 3 digits.

Wait, shouldn’t it be second 4 digits?

Since the 8th digit is a checksum of the first seven, not a free variable, this leaves only 3 meaningful digits to crack in the second half. That collapses the search space from 100 million for the 8 digits down to just 7 digits with 11,000 possibilities, reducing the crack time to somewhere between 1.5 and 3 hours.

To mitigate this, vendors should implement lockouts. These trigger the AP to terminate the session after repeated failures, but the majority of vendors neglect this, adding an implementation flaw to the mix.

Offline Cracking

The offline attack, widely known as Pixiedust, represents a more specialised version. It requires only the messages containing E-S1 and E-S2 (secret nonces of the Enrollee). This vulnerability exists because some chipsets rely on weak pseudo-random number generators (like the Rand() function from C). With only a 32-bit state and no external entropy, these nonces become easy targets. This constitutes an implementation flaw rather than a design flaw. Pixiedust works far faster than online cracking; since these secret nonces help encrypt the PIN, cracking them exposes the PIN immediately.

:::warning

Brute force also creates another major issue: resource exhaustion. Repeatedly engaging with the registration protocol and computing Diffie-Hellman keys strains the AP’s CPU. This prevents legitimate devices from gaining access and, in the worst case, crashes the router.

:::

Finally, some vendors leave WPS enabled even after a user manually disables it — yet another common implementation flaw.

Now that you understand the underlying vulnerabilities, let’s see how an attacker applies this practically.

:::warning

Disclaimer: Everything shown in this blog was performed within legal boundaries and with full authorization from the network owner. This content is strictly for educational purposes. The author does not condone or take responsibility for any misuse of the techniques demonstrated.

:::

The Attack

The kill chain follows a simple path:

**Reconnaissance
You cannot attack what you cannot see. I will utilise the Wash Wi-Fi analyser tool to discover nearby WPS-capable networks.
**Attack
Once I identify the target, I will employ Reaver, a WPS cracking tool, to perform both online and offline attacks. This demonstration highlights the offline (Pixiedust) method.

But first, let’s set up the environment..

Install Reaver:

Since the latest version of Reaver includes both Wash and Pixie Dust, you do not need to install them separately

sudo apt install reaver

installing reaver

A wireless adapter with monitor mode remains necessary to carry out this attack. Since I am using my Raspberry Pi, I will first confirm the adapter connection:

lsusb

lsusb

A comprehensive guide on setting up a Raspberry Pi Zero W:

https://hackernoon.com/setting-up-pi-zero-for-pi-fi-hacking?embedable=true

Now, it’s time to switch the wireless adapter interface to monitor mode.

First, find the interface:

iwconfig

Switch to monitor mode:

For ease of use, you can utilise airmon-ng from the Aircrack-ng suite to activate monitoring mode

Install aircrack-ng (this includes airmon-ng):

sudo apt install aircrack-ng

Monitor mode:

sudo airmon-ng start <interface>

Alternatively, you can configure it manually using iwconfig and ifconfig:

ifconfig <interface> down # take the interface offline
iwconfig <interface> mode monitor # switch to monitor mode
ifconfig <interface> up # bring the interface back online

Verify that the interface operates in monitor mode rather than managed mode:

iwconfig <interface>

Now, it’s time to commence the reconnaissance stage…

Recon

Wash is a utility to discover WPS-capable networks.

By default, the tool passively surveys nearby networks by capturing broadcasts on the live interface:

sudo wash -i <interface>

This displays several columns in the output:

BSSID: The MAC address of the AP.
CHANNEL: The operating channel of the AP.
WPS VERSION: The supported WPS version.
WPS LOCKED: The current lock status reported by broadcast packets.
ESSID: The name (SSID) of the AP.
dBm: Signal strength; lower numbers indicate closer proximity to the target.

You can also gather more information using an active scan, which sends probe requests to all nearby networks. Note that this method appears noisier and less stealthy:

wash -i <interface> --scan

Additionally, applying --json provides deeper details about WPS firmware and other metadata in a JSON format.

Now that I have the BSSID and channel of the target, I can commence the attack

Attack

Reaver performs a brute-force attack against the WPS PIN of an AP.

Online Attack

This method requires a traditional brute-force attack on both PIN halves by actively engaging with the registration protocol. During the attack, my impatience grew as the process dragged on, eventually triggering a WPS lockout and extending the duration even further. This approach proved the least efficient for cracking the WPS PIN.

reaver -i <interface> -b <target_bssid> -vv

The -vv flag enables verbose mode, providing more detail on the background processes. Modern routers detect brute-force attempts and trigger a lockout state; consequently, Reaver stops the attack after ten consecutive errors. It then waits 60 seconds before re-checking the router status and resuming once the lockout resets. While several methods claim to avoid lockouts or force resets, they remain unreliable as they depend entirely on specific firmware.

:::tip

You can also apply --dh-small to speed up the attack. This uses smaller Diffie-Hellman keys to reduce calculation time.

:::

Note that the online method can trigger a DoS (Denial of Service) and disrupt connections for legitimate devices. Each attempt requires recalculating Diffie–Hellman keys, which strains the AP’s CPU.

Offline Attack (Pixie Dust)

This represents the fastest and most reliable method from my tests. It utilises Pixie Dust, now integrated into the latest Reaver version. This attack exploits weak secret nonces generated by functions like Rand(). While this vulnerability affects only specific chipsets, it remains a major flaw across many vendors. Because it only requires E-Hash1 and E-Hash2, the attack operates entirely offline after the initial capture, without further participation in the registration protocol.

sudo reaver -i <interface> -b <target_bssid> -K -vv

-K is to specify pixiedust attack mode.

You can see how it captured all the necessary components:

Seed N1: The seed for generating N1 (the random nonce of the enrollee)
Seed ES1: The seed for generating E-S1 (the first secret nonce of the enrollee)
Seed ES2: The seed for generating E-S2 (the second secret nonce of the enrollee)
PSK1: The first half of the PIN.
PSK2: The second half of the PIN.
ES1: The first secret nonce of the enrollee.
ES2: The second secret nonce of the enrollee.
WPS PIN: The cracked WPS PIN.

The seed is the starting point for the pseudo-random number generator. A weak seed is what makes many chipsets vulnerable, some are known to use Unix timestamps as seeds, which are predictable and trivially guessable by an attacker.

Now we have the WPS PIN and the PSK for the Wi-Fi network.

This method proved extremely efficient, taking only 9 seconds to crack the PIN compared to the hours required for an online attack.

To compare the two, let’s return to the Airbnb analogy. You rely on a specific piece of information to verify me as the actual customer — a shared secret between us. In online cracking, I keep knocking on your door and shouting different secrets until I hit the right one. This remains loud and unreliable.

In offline cracking, however, I examine your door’s lock, discover its weak internal mechanics, and take measurements. I then go home, build a matching key, and use it the next day to enter your home effortlessly. Scary, right? This demonstrates exactly what happens when you enable WPS without realising the risk.

Conclusion

The WPS PIN functions as intended for devices with displays that generate dynamic PINs. The vulnerability emerges primarily when headless devices, such as routers, use static PINs. Furthermore, attacks like Pixie Dust bypass design flaws to exploit implementation errors from the vendor’s side.

Overall, the principle ‘the security of a system remains only as strong as its weakest component’ best explains the failure of WPS. The specification itself anticipated many of these risks — but by offering a convenience-first option and leaving critical safeguards to vendor discretion, the architecture was only ever as secure as its weakest implementation.

The modern world categorises WPS as deprecated functionality that users should no longer employ. Despite this, legacy APs in small businesses and homes still widely rely on it.

Once we install a router, most of us neglect the configuration. Yet, regardless of how convenient vendors make it, the responsibility to configure and maintain a secure network ultimately falls on the user.

With this, we have now seen how WPS works and how attackers exploit it.

Until next time, stay safe…

Like 0

Liked Liked